Fueling the Fire

Published on November 2016 | Categories: Documents | Downloads: 31 | Comments: 0 | Views: 197
of 9
Download PDF   Embed   Report

Comments

Content

1

Fueling the Fire
How Gas Pumps Make Easy Targets For Debit and Credit Card Fraud

George Martin, MBA, CAMS September 30, 2012

Copyright © 2012 George M. Martin All Rights Reserved.

2

As the existence of remote credit and debit card payment terminals become

increasingly ubiquitous, so too does the risk of fraud. In attempts to further reduce expenses and increase the bottom line, business owners and corporations continue to place these terminals and self-serve kiosks where employees once stood- where they also once served as the first line of defense against such criminal acts. Gone are the days of face-face theft, and in its place came along technology which offered speed, convenience and above all else- anonymity. According to Secret Service figures, in 2010 skimmers netted an average of $30,000 per incident while in 2011, their take rose to $50,000. By comparison, “the average bank robbery might be around $3,000 to $4,000” says Doug Johnson, vice president of risk management policy at the American Bankers Association. 1 Consequently, customers, businesses and financial institutions find themselves falling victim to these schemes which are often quite sophisticated and complex operations. Not to be outdone, however, even amateur criminals are cashing in. With just a few hundred dollars, a little ambition and some ingenuity, practically anyone can purchase the hardware necessary to carry out their own scams, with surprisingly profitable results. No longer are criminals relegated to using physical skimming devices alone, either. In recent years, card issuers are increasingly using radio frequency identification tag devices inside their cards, which make data interception and breaches even easier than before. The question arising is no longer if the schemes will pay off, but where can these schemes be perpetrated to be most effective. As a result, criminal syndicates have plenty of devices and destinations at which they can exploit unsuspecting victims. While ATM terminals and Internet merchants are typically regarded by consumers as the usual suspects for the theft of financial data, that’s not always the case. Routine, unsuspecting transactions at places like the grocery store, neighborhood coffee shop and local gas station are also hotbeds for fraud. This paper examines the emerging predicament of credit and debit card skimming at gas stations and its effects. This paper also discusses practical solutions that financial institutions can implement in an effort to monitor for, and combat such acts to minimize potential losses.

Show Me the Money Plastic
For decades, issuing banks pushed credit cards on the public as a means of convenience and sophistication when making purchases. The advent of ecommerce and online shopping made the use of such cards as commonplace as cash once was. Issuing banks even found a way to tap the market of those consumers who did not qualify for credit cards, instead offering them debit cards tied to available balances in their deposit accounts. It is nearly impossible in today’s business landscape to visit a retail location and pay with anything but plastic.

Copyright © 2012 George M. Martin All Rights Reserved.

3

Card Type Debit*
* *

# Of Cards in Circulation (in millions)

% Increase Over 2010

1.479 B 354 2.664 B

+6.1% +19.9% +21.9%

*represents both debit and pre-paid cards Credit

869 705.4 285.0 97.4

+0.4% +4.1% +24.1% +7.0%

Debit cards are immensely popular and allow consumers the ability to make purchases without writing cumbersome checks. Debit cards also level the playing field between businesses and consumers located in different countries and jurisdictions that typically buy and sell goods in different currencies. And as time progresses, banks are offering more than just traditional credit and debit cards to their suite of product offerings by introducing more forms of pre-paid and stored value cards. The chart to the left illustrates the size and yearover-year growth of debit and credit card penetration for select card types.

2011 Global Debit and Credit Card Penetration Source: The Nilson Report, April 20122

Needless to say, this data illustrates the future of commerce with an enthusiastic consumer base following in its wake. Traditional Card Readers In the past, most crude forms of card skimming took place at ATMs, where thieves concealed the real card slot with their own device, which was designed to look like the real thing. Similarly, perpetrators would install a small device either in front of, of behind the actual card reader slot. The devices read all of the personal information off of the card's magnetic strip, while a secret camera simultaneously filmed the victims entering their PIN numbers. Some of the newer, more sophisticated card readers are making it nearly impossible to even detect such devices. According to recent reports from the European ATM Security Team (EAST)3, a non-profit international network dedicated to fighting cross-border international crime, newer card skimmers are physically inserted into point of sale terminals and ATMs to steal card and PIN data. Some of these devices are “wafer-thin”, and do not present some of the more obvious characteristics such as bulkier hardware modifications or changes to physical appearance of the terminals. RFID and “Contactless” Payment According to the Smart Card Association4, “contactless payment” changes the way debit or credit payments are handled when making a purchase. Contactless payment transactions require little to no physical connection between the card and the checkout device. Rather than physically swiping or inserting a card into a card reading terminal or device, the contactless card is tapped on or held within centimeters of a machine that “reads” a smart card chip embedded in the card instead, and the payment information is sent to the merchant wirelessly. Copyright © 2012 George M. Martin All Rights Reserved.

4 Visa calls its technology payWave; MasterCard calls its PayPass; Discover Card named its RFID card Zip; and American Express calls it ExpressPay. Regardless of the marketing push behind each of these products, the underlying technological RFID concept is the same. The stolen information is then copied onto a removable storage device such as a SD card, or can even be transmitted wirelessly to the perpetrators. Once they have the data, they can use it for fraudulent purchases or, as is the case with debit cards, for the manufacture of “clone” cards so they can be used at ATMs and other points of sale to drain cash or make purchases from victims' accounts. Unlike traditional card readers, some RFID readers even capture a one-time CVV number used by contactless cards to authenticate payments. According to industry experts, those codes can only be used for one transaction, and in the order they are generated. If a payment processor detects multiple transactions with the same code or even codes being used to make transactions in the wrong order, it will disable the card. Consequently, a contactless card scammer will likely only be able to use each stolen number once. 5

Gas Pumps Make Easy Prey
Criminals realized that gaining access to victims' card numbers and PINs could be done much easier, and through similar methods at gas station pumps rather than the ATM. And access to those card readers were much easier and more difficult to detect. Because many stations use universal or a limited set of master keys to access the pumps, placement of the devices was not difficult either. Similar to ATM skimming devices, fuel pump devices also read the magnetic strip from the cards, while hidden cameras pick up keypad entries for PINs. Gas pump card skimmers are easily hidden out-of-sight either inside the pumps or, as is the case with RFID readers, within close proximity to the actual card reader. These readers or skimmers can remain undetected for long periods of time by unsuspecting employees and customers, and there is the potential to access hundreds of card numbers every day. Furthermore, customers making purchases at gas pumps are preoccupied with pumping gas- not necessarily examining the payment terminal- thus one more advantage for the thief.

“People don’t expect that when they swipe their credit card at a gas station, they are handing over their credit card information to crooks.”

- U.S. Attorney Sally Quillian Yates

Copyright © 2012 George M. Martin All Rights Reserved.

5

Examples of Credit and Debit Card Compromises
Although both the mainstream and alternative media have certainly brought this issue of debit and credit card fraud to the forefront of American consumer consciousness, criminal elements across the country and elsewhere continue the course. A Tale of Two Stations September 2009 – Paso Robles, CA and Atascadero, CA In September 2009, this author was made aware of an inordinate number of FRB Regulation E claims from unrelated customers. In each complaint and request for reimbursement for unauthorized transactions on their debit cards, the customers described occasional use of their cards only to observe fraudulent transactions at merchants located several hundred miles away in Southern California. Deeper investigation in the ensuing days using transaction codes associated with the transactions revealed a common point of purchase (CPP) at a gas station chain with locations in Paso Robles and Atascadero, CA. After alerting law enforcement of the observations, detectives discovered a card skimming device affixed to a singular point of sale terminal at each of the gas stations. What made this scam even more lucrative and highly efficient for the perpetrators, was the fact that each gas station used only one exterior point of sale terminal for the entire station. Consequently, the sole POS terminals were recording debit and credit card information for all sixteen pumps at the station sites. With the assistance of the gas station’s owner, law enforcement established a sting which resulted in the arrest of several members of an organized criminal ring operating 200 miles away in Los Angeles. Inside Job July 2010- Alpharetta, GA Criminals do not necessarily operate solely from the outside. Often times it’s an inside job. Take the case of Boris Toumasian, a gas station employee who was convicted of conspiracy, fraud and identity theft after stealing credit and debit card information from customers. In 2008, Toumasian worked at a BP gas station in Alpharetta, Georgia. Along with two alleged conspirators, Toumasian installed a skimming device at the gas station that recorded the credit and debit card numbers of customers who visited the store and used their cards. The device also recorded the customers’ personal identification numbers (PINs). Toumasian and his conspirators subsequently transferred the stolen card numbers to the magnetic stripes on American Express gift cards. They then used the altered gift cards to withdraw money from the victims’ bank accounts at ATMs and to purchase electronics at retailers. In its investigation, law enforcement identified over 175 victims of the scheme.

Copyright © 2012 George M. Martin All Rights Reserved.

6 In December 2008, law enforcement officers executed search warrants at two locations in Alpharetta, GA where Toumasian was known to have lived. They found over 44 gift cards fraudulently encoded with credit and debit card information, over $50,000 in cash, multiple skimming devices used to collect card data, a laptop computer with stolen account information, false fronts for ATMs and gas station pumps, a device used to encode cards with account information, and a pinhole camera used to video customers entering their PINs. (Source: US Department of Justice, August 24, 2012) Inside Job, Part Deux July 2012- Santa Ana, CA Some criminals have the moral gumption to just allow the criminal activity, not necessarily carry it out on their own. Take the example of a Santa Ana, CA Shell gas station employee, Bhavesh Vithalbhai Lakhani, who ultimately confessed to have taken over $50,000 to allow other criminals to plant ATM card skimming devices inside gas pumps. According to the United States Attorney, Lakhani allowed his conspirators to insert the skimming devices inside the gas pumps at his station on at least 10 occasions. The devices allowed the criminals to gain access to credit card numbers and ATM PINs. In an ironic twist showing that Lakhani was not such a hard core criminal after all, he had also been asked to let other criminals place a hidden camera in the gas station office ceiling so that they could steal ATM access codes, but he reportedly refused that request. (Source: OC Weekly) Don’t Mess with Texas July 2012- Fort Worth, TX A California man, Aleksandr Goukasian, was convicted in July 2012 of participating in a nationwide theft ring that "skimmed" consumers' account information from automated gas pumps. According to prosecutors, Goukasian and his conspirators placed high-tech skimming devices inside gas pumps and then used them to obtain credit and debit card information and PIN numbers when consumers used the pumps. They then used the information to create new cards, which they used to withdraw cash from accounts and to purchase items. A total of 13 skimmers were found in North Texas, while others were found in Houston, TX, California and Nevada. Investigators suspect the ring collected 38,000 card numbers and stole more than $100,000. (Source: Fort Worth Star-Telegram)

Surveillance Using Automated Monitoring Software
Knowledgeable AML, fraud and security professionals will tell you that the best way to prevent such fraud is to avoid the electronic debit or credit card transaction altogether by paying with cash. And if not cash, then pre-paying inside with a cashier is then preferred.

Copyright © 2012 George M. Martin All Rights Reserved.

7 However, these forms of electronic payment offer speed and convenience to both consumers and business, and as evidenced by the emergence of self serve payment kiosks, have become the preferred payment method in the industry. Consequently, it has become the responsibility of the financial institution- the creator of such payments- to solve these problems. In addition to whatever measures fueling stations and their owners undertake to protect their customers, financial institutions need to ensure an effective transaction monitoring system is in place to not only identify and stop debit and credit card fraud, but to also limit future security breaches. When designing and implementing an effective monitoring system, the following areas of detection should be considered: 1. Common Point(s) of Compromise/Purchase- This is determined by identifying a set of accounts with legitimate debit or credit card holder usage, that possess a) a single common merchant identifier prior to any fraudulent activity and b) is not associated with a previously observed data compromise event. Geographical Correlation- Often times, subsequent card fraud will occur within close geographical proximity to the original point of compromise. This is more difficult to discover when the fraud is perpetrated by more sophisticated groups or organizations, where the extent of fraud conducted could be inter-state, or in some cases international. Geographical Segmentation- In an effort to properly ascertain the extent of the potential fraud, and mitigate any future losses, examine where the fraudulent activity occurs. Does the fraud occur in a certain metropolitan area? Is the activity relegated to a geographical region with common business or economic characteristics (e.g., trucking/shipping lanes, agricultural regions, business parks). Also determine if the activity was specific to a certain county or state, depending where your financial institution does business. Common Customer Characteristics- Examine if any of the affected customers exhibit any occupational correlation such as employer, occupation, or transaction location such as financial institution, common branch location of activity, etc. This helps establish the potential source of a data breach, but not necessarily the actual point of card compromise. In one such real life instance, this author was able to identify a bank employee selling customer information to conspirators, who then used ATMs throughout the state to perpetrate fraud on those customer accounts. Compromise Time Frame- Pin point whether the card compromises occurred within a certain time period. Typically in such fraud cases, time is of the essence. Criminals know that once the customer card information has been obtained, time works against them. In order to maximize their bounty, they will strike fast and furious. If your automated systems allow, attempt to work in as “real time” if possible. Also work as closely as possible with decision makers within your institution’s operations department. Typically a few tweaks of your institution’s core processing system allow for immediate data extracts

2.

3.

4.

5.

Copyright © 2012 George M. Martin All Rights Reserved.

8 that will prove helpful in any immediate investigation or risk mitigation effort. 6. Unsuspecting Fraud Amount- Today’s sophisticated criminal enterprises are very knowledgeable about the amounts and frequency of fraud to perpetrate without causing alarm. Suspicious Activity Report (SAR) and Monetary Instrument Log (MIL) filing thresholds are public knowledge and criminals pay close attention. If your automated surveillance system allows you to establish monetary thresholds, look for transactions and trends below the SAR filing and MIL reporting thresholds. Criminals are greedy indeed, but they won’t sacrifice a good thing all at once. They will often times conduct multiple, low-dollar fraudulent transactions referred to as micro-payment fraud, if they think they can extract more money without detection over longer periods of time.

Future Threats
While this paper focuses on gas pump fraud and associated risk mitigation efforts, there are budding trends likely to compete with this type of activity. For example, the emergence of other mobile, low cost payment systems such as Square and GoPago, also present new challenges to the fraud prevention landscape. As has been seen with remote payment kiosks such as gas pumps, industry practitioners can be assured criminals will be working hard to also take advantage of these mobile payment systems.

Conclusion
As the financial services industry continues to innovate and make transactions more convenient for the customer and cost-effective for business, it is a foregone conclusion that criminal enterprises will work diligently to exploit any perceived weaknesses in the system. As has been demonstrated, gas pumps present criminals with the means (simplicity), motive (high volume of transactions) and opportunity (anonymity) to steal card information and commit identity theft to perpetrate fraud. The advent of technology through advanced hardware, software and data transmission only make this type of fraud more attractive to the aspiring criminal or sophisticated criminal enterprise. While businesses such as gas stations may undertake efforts to combat this type of fraud at the point of sale through employee and consumer education and awareness, it’s apparent that it has become increasingly incumbent upon financial institutions to do their part to combat such activity themselves. Through several initiatives, including those outlined in this paper, banks and industry practitioners can implement sound, effective monitoring programs tailored to identify and mitigate respective fraud risks. Advanced monitoring software systems, coupled with sensible, practical approaches in surveillance design, will certainly cause effective results.

Copyright © 2012 George M. Martin All Rights Reserved.

9

About
George M. Martin, MBA, CAMS, is an expert in AML surveillance, Fraud detection and compliance risk mitigation. He has been involved in AML, Fraud and regulatory compliance for over ten years. His risk management experience spans several areas of the financial services industry including securities, insurance, banking and money service businesses. He is a member of the Association of Certified Anti-Money Laundering Specialists (ACAMS) and Association of Certified Fraud Examiners (ACFE). For more information, visit www.georgemmartin.com, or e-mail [email protected].

End Notes
1

Gallagher, Shawn. Automated robbery: how card skimmers (still) steal millions from banks. June 24, 2012. Retrieved from: http://arstechnica.com/security/2012/06/automated-robbery-how-cardskimmers-still-steal-millions-from-banks/ 2 The Nilson Report. Worldwide Purchase Transactions on General Purpose Cards with Global Brands. April 2012. Retrieved from: http://nilsonreport.com/issues/2012/992.htm 3 EAST. EAST Research Results. June 2012. Retrieved from: https://www.european-atmsecurity.eu/ATM%20Research/ 4 Smart Card Alliance. Retrieved from: http://www.smartcardalliance.org/pages/smart-cards-faq#whatis-contactless-payment 5 Greenberg, Andy. Hacker's Demo Shows How Easily Credit Cards Can Be Read Through Clothes And Wallets. Forbes Magazine. January 30, 2012. Retrieved from: http://www.forbes.com/sites/andygreenberg/2012/01/30/hackers-demo-shows-how-easily-creditcards-can-be-read-through-clothes-and-wallets/

Copyright © 2012 George M. Martin All Rights Reserved.

Sponsor Documents

Or use your account on DocShare.tips

Hide

Forgot your password?

Or register your new account on DocShare.tips

Hide

Lost your password? Please enter your email address. You will receive a link to create a new password.

Back to log-in

Close